[svn-commits] russell: branch group/security_events r199729 - in /team/group/security_event...

Tue Jun 9 06:35:31 CDT 2009

Author: russell
Date: Tue Jun  9 06:35:23 2009
New Revision: 199729

URL: http://svn.asterisk.org/svn-view/asterisk?view=rev&rev=199729
Log:
Add invalid password security event, Add markers to manager.c for security events

Modified:
    team/group/security_events/include/asterisk/security_events_defs.h
    team/group/security_events/main/manager.c
    team/group/security_events/main/security_events.c
    team/group/security_events/security_events.txt
    team/group/security_events/tests/test_security_events.c

Modified: team/group/security_events/include/asterisk/security_events_defs.h
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/include/asterisk/security_events_defs.h?view=diff&rev=199729&r1=199728&r2=199729
==============================================================================

--- team/group/security_events/include/asterisk/security_events_defs.h (original)
+++ team/group/security_events/include/asterisk/security_events_defs.h Tue Jun  9 06:35:23 2009
@@ -107,6 +107,10 @@
 	 * \brief An attempt at challenge/response authentication failed
 	 */
 	AST_SECURITY_EVENT_CHAL_RESP_FAILED,
+	/*!
+	 * \brief An attempt at basic password authentication failed
+	 */
+	AST_SECURITY_EVENT_INVAL_PASSWORD,
 	/* \brief This _must_ stay at the end. */
 	AST_SECURITY_EVENT_NUM_TYPES
 };
@@ -736,6 +740,49 @@
 	const char *expected_response;
 };
 
+/*!
+ * \brief An attempt at basic password auth failed
+ */
+struct ast_security_event_inval_password {
+	/*!
+	 * \brief Event descriptor version
+	 * \note This _must_ be changed if this event descriptor is changed.
+	 */
+	#define AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION 1
+	/*! \brief Common security event descriptor elements */
+	struct ast_security_event_common common;
+	/*!
+	 * \brief Module, Normally the AST_MODULE define
+	 * \note optional
+	 */
+	const char *module;
+	/*!
+	 * \brief Account ID, specific to the service type
+	 * \note required
+	 */
+	const char *account_id;
+	/*!
+	 * \brief Session ID, specific to the service type
+	 * \note required
+	 */
+	const char *session_id;
+	/*!
+	 * \brief Session timeval, when the session started
+	 * \note optional
+	 */
+	const struct timeval *session_tv;
+	/*!
+	 * \brief Local address the request came in on
+	 * \note required
+	 */
+	struct ast_security_event_ipv4_addr local_addr;
+	/*!
+	 * \brief Remote address the request came from
+	 * \note required
+	 */
+	struct ast_security_event_ipv4_addr remote_addr;
+};
+
 #if defined(__cplusplus) || defined(c_plusplus)
 }
 #endif

Modified: team/group/security_events/main/manager.c
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/main/manager.c?view=diff&rev=199729&r1=199728&r2=199729
==============================================================================
--- team/group/security_events/main/manager.c (original)
+++ team/group/security_events/main/manager.c Tue Jun  9 06:35:23 2009
@@ -1735,6 +1735,16 @@
 	return maskint;
 }
 
+static void report_invalid_user(const struct mansession *s, const char *username)
+{
+	/* XXX */
+}
+
+static void report_failed_acl(const struct mansession *s, const char *username)
+{
+	/* XXX */
+}
+
 /*
  * Here we start with action_ handlers for AMI actions,
  * and the internal functions used by them.
@@ -1757,8 +1767,10 @@
 	AST_RWLIST_WRLOCK(&users);
 
 	if (!(user = get_manager_by_name_locked(username))) {
+		report_invalid_user(s, username);
 		ast_log(LOG_NOTICE, "%s tried to authenticate with nonexistent user '%s'\n", ast_inet_ntoa(s->session->sin.sin_addr), username);
 	} else if (user->ha && !ast_apply_ha(user->ha, &(s->session->sin))) {
+		report_failed_acl(s, username);
 		ast_log(LOG_NOTICE, "%s failed to pass IP ACL as '%s'\n", ast_inet_ntoa(s->session->sin.sin_addr), username);
 	} else if (!strcasecmp(astman_get_header(m, "AuthType"), "MD5")) {
 		const char *key = astman_get_header(m, "Key");
@@ -1777,13 +1789,19 @@
 				len += sprintf(md5key + len, "%2.2x", digest[x]);
 			if (!strcmp(md5key, key)) {
 				error = 0;
+			} else {
+				/* XXX Failed Challenge / response */
 			}
 		} else {
 			ast_debug(1, "MD5 authentication is not possible.  challenge: '%s'\n",
 				S_OR(s->session->challenge, ""));
 		}
-	} else if (password && user->secret && !strcmp(password, user->secret)) {
-		error = 0;
+	} else if (user->secret) {
+		if (password && !strcmp(password, user->secret)) {
+			error = 0;
+		} else {
+			/* XXX Invalid password */
+		}
 	}
 
 	if (error) {
@@ -1793,6 +1811,8 @@
 	}
 
 	/* auth complete */
+
+	/* XXX Auth Successful */
 
 	ast_copy_string(s->session->username, username, sizeof(s->session->username));
 	s->session->readperm = user->readperm;
@@ -3583,6 +3603,7 @@
 		} else {
 			astman_send_error(s, m, "Permission denied");
 			tmp = NULL;
+			/* XXX Request not allowed */
 		}
 		break;
 	}
@@ -3597,6 +3618,7 @@
 		snprintf(buf, sizeof(buf), "Invalid/unknown command: %s. Use Action: ListCommands to show available commands.", action);
 		mansession_lock(s);
 		astman_send_error(s, m, buf);
+		/* XXX Request bad format */
 		mansession_unlock(s);
 	}
 	if (ret) {

Modified: team/group/security_events/main/security_events.c
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/main/security_events.c?view=diff&rev=199729&r1=199728&r2=199729
==============================================================================
--- team/group/security_events/main/security_events.c (original)
+++ team/group/security_events/main/security_events.c Tue Jun  9 06:35:23 2009
@@ -297,7 +297,8 @@
 	},
 },
 
-[AST_SECURITY_EVENT_CHAL_RESP_FAILED] = { .name     = "ChallengeResponseFailed",
+[AST_SECURITY_EVENT_CHAL_RESP_FAILED] = {
+	.name     = "ChallengeResponseFailed",
 	.version  = AST_SECURITY_EVENT_CHAL_RESP_FAILED_VERSION,
 	.severity = AST_SECURITY_EVENT_SEVERITY_ERROR,
 	.required_ies = {
@@ -317,6 +318,28 @@
 	.optional_ies = {
 		{ AST_EVENT_IE_MODULE, SEC_EVT_FIELD(chal_resp_failed, module) },
 		{ AST_EVENT_IE_SESSION_TV, SEC_EVT_FIELD(chal_resp_failed, session_tv) },
+		{ AST_EVENT_IE_END, 0 }
+	},
+},
+
+[AST_SECURITY_EVENT_INVAL_PASSWORD] = {
+	.name     = "InvalidPassword",
+	.version  = AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION,
+	.severity = AST_SECURITY_EVENT_SEVERITY_ERROR,
+	.required_ies = {
+		{ AST_EVENT_IE_EVENT_TV, 0 },
+		{ AST_EVENT_IE_SEVERITY, 0 },
+		{ AST_EVENT_IE_SERVICE, SEC_EVT_FIELD(common, service) },
+		{ AST_EVENT_IE_EVENT_VERSION, SEC_EVT_FIELD(common, version) },
+		{ AST_EVENT_IE_ACCOUNT_ID, SEC_EVT_FIELD(inval_password, account_id) },
+		{ AST_EVENT_IE_SESSION_ID, SEC_EVT_FIELD(inval_password, session_id) },
+		{ AST_EVENT_IE_LOCAL_ADDR, SEC_EVT_FIELD(inval_password, local_addr) },
+		{ AST_EVENT_IE_REMOTE_ADDR, SEC_EVT_FIELD(inval_password, remote_addr) },
+		{ AST_EVENT_IE_END, 0 }
+	},
+	.optional_ies = {
+		{ AST_EVENT_IE_MODULE, SEC_EVT_FIELD(inval_password, module) },
+		{ AST_EVENT_IE_SESSION_TV, SEC_EVT_FIELD(inval_password, session_tv) },
 		{ AST_EVENT_IE_END, 0 }
 	},
 },

Modified: team/group/security_events/security_events.txt
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/security_events.txt?view=diff&rev=199729&r1=199728&r2=199729
==============================================================================
--- team/group/security_events/security_events.txt (original)
+++ team/group/security_events/security_events.txt Tue Jun  9 06:35:23 2009
@@ -131,6 +131,10 @@
   (-) Expected Response
   DevNotes: defined, has test code
 
+Invalid Password
+  -> everything from invalid account ID
+  DevNotes: defined, has test code
+
 Successful Auth
   -> informational event
   -> everything from inval account ID
@@ -208,7 +212,8 @@
 Content: This is the security event sub-type.
 Values: FailedACL, InvalidAccountID, CallLimit, MemoryLimit, LoadAverageLimit,
         RequestNotSupported, RequestNotAllowed, AuthMethodNotAllowed,
-        ReqBadFormat, UnexpectedAddress, ChallengeResponseFailed
+        ReqBadFormat, UnexpectedAddress, ChallengeResponseFailed,
+        InvalidPassword
 
 IE: EventVersion
 Content: This is a numeric value that indicates when updates are made to the

Modified: team/group/security_events/tests/test_security_events.c
URL: http://svn.asterisk.org/svn-view/asterisk/team/group/security_events/tests/test_security_events.c?view=diff&rev=199729&r1=199728&r2=199729
==============================================================================
--- team/group/security_events/tests/test_security_events.c (original)
+++ team/group/security_events/tests/test_security_events.c Tue Jun  9 06:35:23 2009
@@ -48,6 +48,7 @@
 static void evt_gen_successful_auth(void);
 static void evt_gen_unexpected_addr(void);
 static void evt_gen_chal_resp_failed(void);
+static void evt_gen_inval_password(void);
 
 typedef void (*evt_generator)(void);
 static const evt_generator evt_generators[AST_SECURITY_EVENT_NUM_TYPES] = {
@@ -63,6 +64,7 @@
 	[AST_SECURITY_EVENT_SUCCESSFUL_AUTH]         = evt_gen_successful_auth,
 	[AST_SECURITY_EVENT_UNEXPECTED_ADDR]         = evt_gen_unexpected_addr,
 	[AST_SECURITY_EVENT_CHAL_RESP_FAILED]        = evt_gen_chal_resp_failed,
+	[AST_SECURITY_EVENT_INVAL_PASSWORD]          = evt_gen_inval_password,
 };
 
 static void evt_gen_failed_acl(void)
@@ -528,6 +530,43 @@
 	sin_remote.sin_port = htons(1234);
 
 	ast_security_event_report(AST_SEC_EVT(&chal_resp_failed));
+}
+
+static void evt_gen_inval_password(void)
+{
+	struct sockaddr_in sin_local = {
+		.sin_family = AF_INET
+	};
+	struct sockaddr_in sin_remote = {
+		.sin_family = AF_INET
+	};
+	struct timeval session_tv = ast_tvnow();
+	struct ast_security_event_inval_password inval_password = {
+		.common.event_type = AST_SECURITY_EVENT_INVAL_PASSWORD,
+		.common.version    = AST_SECURITY_EVENT_INVAL_PASSWORD_VERSION,
+		.common.service    = "TEST",
+
+		.module     = AST_MODULE,
+		.account_id = "AccountIDGoesHere",
+		.session_id = "SessionIDGoesHere",
+		.session_tv = &session_tv,
+		.local_addr = {
+			.sin  = &sin_local,
+			.transport  = AST_SECURITY_EVENT_TRANSPORT_TCP,
+		},
+		.remote_addr = {
+			.sin = &sin_remote,
+			.transport  = AST_SECURITY_EVENT_TRANSPORT_TCP,
+		},
+	};
+
+	inet_aton("10.200.100.30", &sin_local.sin_addr);
+	sin_local.sin_port = htons(4321);
+
+	inet_aton("10.200.100.40", &sin_remote.sin_addr);
+	sin_remote.sin_port = htons(1234);
+
+	ast_security_event_report(AST_SEC_EVT(&inval_password));
 }
 
 static void gen_events(struct ast_cli_args *a)


